When working with Active Directory, LDAP queries are essential for retrieving specific user data. The core challenge lies in combining multiple conditions correctly. For our case, we need to:
- Filter for user objects (objectClass=person or objectClass=user)
- Exclude disabled accounts (userAccountControl bitmask)
- Include only members of a specific security group
Here's the proper LDAP filter that accomplishes all requirements:
(& (objectClass=user) (memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) )
Key components explained:
objectClass=user- Targets user accounts (more precise than 'person')memberOf=- Specifies group membership (full distinguished name required)userAccountControl:1.2.840.113556.1.4.803:=2- Bitwise AND operation to check for disabled accounts
PowerShell Example
Get-ADUser -LDAPFilter "(&(objectClass=user)(memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
C# .NET Implementation
DirectoryEntry entry = new DirectoryEntry("LDAP://DC=domain,DC=com");
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(&(objectClass=user)(memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
foreach(SearchResult result in search.FindAll())
{
// Process enabled users
}
Many administrators encounter these issues:
| Issue | Solution |
|---|---|
| Query too slow | Add indexed attributes to filter |
| Missing users | Check for nested group membership |
| Incorrect group DN | Use Get-ADGroup to verify exact name |
For GADS configuration, consider these additional filters:
# Sync only mail-enabled users (& (objectClass=user) (memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) (mail=*) )
Remember to test your queries with a small subset before applying to production synchronization.
When working with Active Directory synchronization, a common need is to query users who meet two specific conditions:
- Belong to a particular security group
- Have active (non-disabled) accounts
The query you attempted was close but needs refinement. Here's the proper format:
(& (objectClass=user) (memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) )
1. Object class filtering: Using objectClass=user is more precise than objectClass=person for Active Directory users.
2. Group membership: The memberOf attribute requires the full distinguished name of the group. Replace with your actual group DN.
3. Account status check: The userAccountControl bitmask operation (:1.2.840.113556.1.4.803:) properly checks for disabled accounts (bit 2).
PowerShell Example:
$ldapFilter = "(&(objectClass=user)(memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" Get-ADUser -LDAPFilter $ldapFilter
C# Example:
DirectoryEntry entry = new DirectoryEntry("LDAP://DC=domain,DC=com");
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(&(objectClass=user)(memberOf=CN=Google Apps Users,OU=Groups,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
foreach(SearchResult result in search.FindAll())
{
// Process each enabled user in the group
}
For GADS implementation, you would use this LDAP query in your synchronization rules. Additionally consider:
- Setting up attribute mapping between AD and Google Workspace
- Configuring the synchronization schedule
- Implementing the suspend option for disabled accounts
For large directories:
- Add index hints if querying frequently
- Consider paging for result sets over 1000 users
- Cache results when possible